How I will judge Windows Vista Security


Before I get started, I want to point out this is my opinion, not necessarily anyone else’s viewpoint.


Now that we have shipped Windows Vista and researchers are starting to prod and probe for security bugs, I want to spend a couple of minutes to explain how I will judge Windows Vista security.


“Prodding and poking” started many, many months ago, in part because we asked people to take a look at the product at BlackHat 2006, but we also know there is a great deal of underground research happening too.


The security engineering effort applied to Windows Vista was staggering; I can’t begin to explain all the work we did. I stand by our view that Windows Vista is the most secure Windows we have released. And that translates into the only thing that really interests me: customers are more protected when using Windows Vista than any prior version of Windows. 


Is Windows Vista perfect and utterly security bug free? Of course not! No software is bug free. Not even Macs or Linux 🙂


My prediction for Windows Vista security bugs is pretty simple, and yes, I realize I am going out on a limb here. There will probably be a number of security bugs in the following months, I have no clue what that number will be. I am not going to judge Windows Vista security based on the first few months’ bugs. I will, however, look back two years from now and compare Windows Vista to Windows XP SP2 and Windows Server 2003. I do believe there will be a significant drop in both security bug quantity and severity when compared to prior Windows versions.


There might well be be some “ouch” moments, when people in our group look at a bug and ask ourselves, “how on earth did we miss this?”


We will also see some bugs that are unique to Windows Vista. But I believe this number will be reasonably small.


There is one thing you will see that I’m not too thrilled about, but it is what it is. The MSRC rarely reduces the severity of a buffer-related security bug because a defense with no security guarantees such as /GS or /SafeSEH is in place. UAC will be a speed bump, but I doubt we would reduce the severity of many bulletins if UAC is the sole mitigation. The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity. So don’t be surprised if you see a bug that’s, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place. As I understand it, the MSRC will call out defenses that come into play.


So here’s my prediction. We will see significantly less critical vulnerabilities in the operating system over the next 2 years, as compared to Windows XP, perhaps by a factor of as much as 50%, and a 30% reduction of important vulnerabilities. If we achieve this, I will be happy, because it means customers are more protected.


Why am I making these claims? I know the SDL works, and we will continue to evolve SDL over time as we learn of new vulnerability types and new defenses, but Windows Vista is the first Windows to go through SDL from start to finish. We know that when you focus on something intensely, you can make a big difference.


I was asked recently what my favorite SDL task is that was used in Windows Vista. It’s hard to pick just one, but I was put on the spot, so I gave one: banned API removal and use of standard annotation language SAL. Ok it’s two, but they are closely related. I was also asked for my favorite security feature in Windows Vista, again, it’s hard to pick one, but I would say it’s all the security work in IE7. We saw IE7 come through the Month of Browser Bugs unharmed, and so far only a very small number of vulnerabilities that affect IE6 SP2 affect IE7. The IE team did a great job.

Comments (13)

  1. Rory McCune says:

    Hi,

    One question on this is, how does Microsoft integrate code that’d been bought in with acquisitions who probably don’t use SDL or an equivalent process?  

    Isn’t there a significant risk (especially if the bought in code is security related) that the overall security of the codebase can be compromised by bought in software?

  2. Anon Emous says:

    I’m glad that you consider UAC to be a speed bump in this particular argument, and that your points are based on deeper aspects of Windows security, given that a huge majority of Windows Vista users will disable UAC out of sheer annoyance, leaving them as local administrators with no security protection – just as almost all consumers have been on Windows XP for more than 5 years.

    Really. They will. It’s that annoying for a consumer.

  3. M. Fluch says:

    A bug is a bug, isn’t it? A severe buffer overflow is always a severe buffere overflow. In Vista as in other operating systems. 🙂

  4. michael_HOWARD says:

    M. Fluch, not true at all – see my blog post about VML and Vista.

  5. John says:

    When all those neat features are proven to work in the real world, then, maybe, you can make the claim that a particular vista bug might be less of an issue.

    Until then, there is a serious problem with vista’s enormous code bloat (50 million lines of code) and new "features" (how, really, does the new IP stack serve me, other than as a new attack vector?)

    Given MS’s complete lack of historical credibility in the security arena, IMHO the prudent person shouldn’t touch vista with a 10 foot pole, at least until service pack 2. "Most secure windows ever" is great marketing propaganda, but when you think about the number of critical updates to XP 5 years on, the slogan says nothing.

    If vista manages to go a year without a critical security bug, then one could say that Microsoft finally gets it. Sadly, the current evidence (horrid complexity, feature bloat, and unwieldy DRM) argues the other way.

    "So here’s my prediction. We will see significantly less critical vulnerabilities in the operating system over the next 2 years, as compared to Windows XP, perhaps by a factor of as much as 50%, and a 30% reduction of important vulnerabilities. If we achieve this, I will be happy, because it means customers are more protected."

    That seems to be a polite way to say "Vista will suck less".

  6. michael_HOWARD says:

    John,

    >>how, really, does the new IP stack serve me

    better integrated IP technologies, easier to upgrade, fewer reboots, better perf.

    >>If vista manages to go a year without a critical security bug

    no OS i know of goes a year without a critical security bug.

  7. 3247 says:

    > no OS i know of goes a year without a critical security bug.

    OpenBSD? "Only two remote holes in the default install, in more than 10 years!"

    Of course, "default install" here means "useless".

  8. LarryOsterman says:

    3247.  Don’t forget that sometimes OpenBSD remote holes aren’t always reported as such.

  9. Fooljam says:

    Well people having opinions is fine 🙂

    OpenBSD has regular security holes since the last 10 years, so I don’t know what you guys are talking about. Try to get yourself suscribed to some security bulletins.

    The remote install process is something else.

    Now comparing an OS with no Gfx environment, with a minimal amount of services/apps, jailing capability,  to a day to day useable OS for internet and productivity usage is a bit silly.

    That’s like comparing a small kitchen knife to a powerful and petrol motionned chainsaw. You are saying the table knife is better because there is no petrol leak, it does not break down etc. Well sure fair enough, but the chainsaw is more effective and productive at the end.

    Install X, KDE/GNOME/OpenOffice, Instant messaging software, and many other things on OpenBSD and I whish good luck to recompile your apps with security patches (When the author/editor bother to have patches available in relatively quick way).

    Finally to reply to John’s silly statements.

    Windows has security holes, like any other Operating System.

    Windows does not have more security issues than any comparable OS (Some other OS’s security holes have not been discovered yet, but we find more and more, like the recent MAX OS security issues with a numerous amount of new security holes), but Windows is suffering from the worst problem in the world. The one which is causing sickness in Africa, the one which is causing wars, causing terrorism, this is called : LACK OF EDUCATION.

    Affected users by security holes on Windows are the ones who have not a clue how windows works, they just use it because it is easy, they just need to click on icons. But basically they don’t know how to use and security it.

    Many users on Windows, are using an admin account on a daily basis, exposing themself to silly kits, viruses, trojan, etc. because they don’t know what the best practices should be.

    Do you know guys on Linux/Unix using a root account on a daily basis ? This is where the probleme is.

    Windows includes a lot of ways to secure the OS, but people are not aware of these.

    It is easy to protect a Windows client/server by implementing some of the technologies available, by doing some registry customisations, disabling useless services, …

    But nobody does that, they just use Windows the way it comes. And this is wrong, Microsoft has been communicating for years on this.

    Many web servers are now running on IIS and Windows Servers, if Windows was so insecure that would not be the case.

    Thousands of ISP all over the world are now hosting Windows Dedicated Server, providing Exchange/SharePoint hosting, IIS/ASPX hosting.

    Over 60% of the mailmservers in enterprises are Exchange Servers, if Linux solutions were more secured, stable, reliable, Exchange would not be that high.

    People saying Linux/Unix is more secure than Windows are stupid. You can not compare those OS like that.

    Plus this is definitly wrong anyway.

    Vista is far more secure and faster than XP, even the fact it uses more memory.

    The new IP stack is brilliant and dramatically improve network communications at many layers.

    And saying MS is lacking of "historical credibility in the security arena", is also completely stupid.

    You really dont know what you talking about.

    MS Security R/D is based in Israel (More than 10 years now) and I can tell you MS security products such as ISA Server or IAG Server are from the best in the world, but you did not bother to look at them and their potential. You are truely missing something Man.

    Vista locks down many aspects of the interface, to force the end user to use some security features.

    Now Vista already has some discovered vulnerabilities, and that’s fair enough, Microsoft is going to address them.

    I have no MS Share, I am not a MS employee, but I know very well both OS (Windows and Unix)

    My experience proved me people telling bull*** about an OS don’t know this OS, plus only roughly know the main OS they are using.

    So guys seriously take the time to study a bit more your OS and Windows before you talk. Because you look so bad sometimes…

  10. John says:

    >>how, really, does the new IP stack serve me

    >

    >better integrated IP technologies, easier to upgrade, >fewer reboots, better perf.

    OK, let’s take those in turn:

    >better integrated IP technologies

    IP stack functionality usually ends at layer 4 (tcp/udp), with sockets acting as the interface of choice. MS allows layered service providers in xp. What does the vista IP stack add?

    >easier to upgrade

    Hopefully, the IP stack is a piece of secure and tested code, so it doesn’t need to be upgraded. If it does  require updates, replace the winsock and associated dlls. How does vista change that?

    >fewer reboots

    Call me crazy, but no config change in the stack should cause a reboot.

    >better perf

    For Joe Random web surfer, the major issues with network performance are latency, bandwidth, and server responsiveness. I can’t see how the local stack can improve these.

    For a server, maybe this could help, but serious server guys use tcp offload cards, which is the ultimate in better ip stack perf.

    So, unless I’m missing something here, I get no better service from the vista stack.

  11. John says:

    >>If vista manages to go a year without a critical security bug

    >

    >no OS i know of goes a year without a critical security >bug.

    Fine, then MS should stop the oversell of the security features. If I listened to the rants of Ballmer et. al., Vista is the Second Coming, somewhat like Allchin’s XP comment "the company has done a complete code review of its operating system and removed all buffers which could overflow." (http://www.vnunet.com/networkitweek/news/2057931/microsoft-stamps-xp-buffer-overflows)  History has shown that comment to be a bit optimistic.

    As for MS fanboy fooljam — you talk a lot, but offer only sweeping generalities. My "MS’s complete lack of historical credibility in the security arena" comes from the huge numbers on critical updates on XP and previous versions, and from Jim Allchin’s comment that "some MS code was so flawed it could not be safely disclosed" (http://www.eweek.com/article2/0,3959,5264,00.asp) during the antitrust trial.

    And I’m no linux fanboy. Having spent a few years working in Redmond, I found people who were bright and serious about improving security. Based on what I’ve seen, I’d bet that Michael Howard is one of them. Unfortunately, MS’s complexity fetish seems to beat the good intent of the company. I saw PMs compete on how many API members they could spec — I would guess that member count was in their review goals. The graphical representation of the windows o/s was truly scary with all of its layers and some circular dependencies. Windows feels like the ultimate Rube Goldberg machine — so big and complex that no one can truly understand it. And if you can’t understand it, you can’t fix it.

    We really don’t need every utility on the planet in the operating system, nor do we need backward compatibility to MS-DOS.

  12. michael_HOWARD says:

    >>I get no better service from the vista stack.

    perhaps you won’t, but many will.